CVE-2022-23647

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-23647
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23647.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-23647
Aliases
Related
Published
2022-02-18T15:15:07Z
Modified
2024-12-12T08:49:22.727273Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

References

Affected packages

Debian:11 / node-prismjs

Package

Name
node-prismjs
Purl
pkg:deb/debian/node-prismjs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.23.0+dfsg-1+deb11u2

Affected versions

1.*

1.23.0+dfsg-1
1.23.0+dfsg-1+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-prismjs

Package

Name
node-prismjs
Purl
pkg:deb/debian/node-prismjs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.27.0+dfsg+~1.26.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-prismjs

Package

Name
node-prismjs
Purl
pkg:deb/debian/node-prismjs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.27.0+dfsg+~1.26.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/prismjs/prism

Affected ranges

Type
GIT
Repo
https://github.com/prismjs/prism
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.4.0
1.5.0
1.5.1

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.12.1
v1.12.2
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.17.1
v1.18.0
v1.19.0
v1.2.0
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.24.1
v1.25.0
v1.26.0
v1.3.0
v1.4.1
v1.6.0
v1.7.0
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.9.0